CVE-2025-7684 is a Cross-Site Request Forgery (CSRF) vulnerability identified in the Last.fm Recent Album Artwork WordPress plugin developed by remysharp. This vulnerability affects all versions up to and including 1.0.2. The root cause is the absence or improper implementation of nonce validation on the 'lastfm_albums_artwork.php' page. Nonces are security tokens used to verify that requests made to a web application are intentional and authorized by the user. Without proper nonce validation, an attacker can craft a malicious request that, when executed by an authenticated administrator (for example, by clicking a link or visiting a malicious webpage), causes the plugin to update its settings or inject malicious scripts. This can lead to unauthorized changes in the plugin’s configuration and potentially enable further attacks such as persistent cross-site scripting (XSS). The vulnerability is exploitable remotely without authentication but requires user interaction (the administrator must be tricked into performing an action). The CVSS v3.1 base score is 6.1 (medium severity), reflecting the network attack vector, low attack complexity, no privileges required, but user interaction is necessary. The impact includes limited confidentiality and integrity loss, with no direct availability impact. No known exploits are currently reported in the wild, and no patches have been linked yet. This vulnerability is significant because WordPress is widely used, and plugins like Last.fm Recent Album Artwork are common in sites that integrate music-related content, making this a relevant threat vector for website administrators.

For European organizations, especially those operating WordPress-based websites with the Last.fm Recent Album Artwork plugin installed, this vulnerability poses a risk of unauthorized configuration changes and potential injection of malicious scripts. This can lead to compromised website integrity, defacement, or the delivery of malicious payloads to site visitors, which could damage brand reputation and user trust. In regulated sectors such as finance, healthcare, or government, such compromises could also lead to data privacy violations under GDPR if personal data is exposed or manipulated. The attack requires tricking an administrator, so organizations with less stringent user security awareness or lacking multi-factor authentication on admin accounts are at higher risk. Although no active exploitation is reported, the medium severity score and ease of exploitation without authentication make it a credible threat that could be leveraged in targeted attacks or automated scanning campaigns. The scope is limited to sites using this specific plugin, but given WordPress’s popularity in Europe, the potential impact is non-negligible.

European organizations should immediately audit their WordPress installations to identify if the Last.fm Recent Album Artwork plugin is in use and verify the version. Until an official patch is released, administrators should consider disabling or uninstalling the plugin to eliminate exposure. Implementing strict administrative access controls, including multi-factor authentication and limiting admin privileges, can reduce the risk of successful exploitation. Educating administrators about phishing and social engineering risks is critical to prevent inadvertent triggering of CSRF attacks. Additionally, deploying Web Application Firewalls (WAFs) with rules to detect and block suspicious POST requests targeting the vulnerable plugin endpoints can provide a temporary protective layer. Monitoring web server logs for unusual activity related to 'lastfm_albums_artwork.php' can help detect attempted exploitation. Once a patch is available, prompt application of updates is essential. Finally, adopting a security plugin that enforces nonce validation and CSRF protections site-wide can help prevent similar vulnerabilities.